On Wed 05 Jun 2024 at 13:53, Mehmet E. Şahin (BAŞKANLIK-BİDB) <mehmet.sahin@tubitak.gov.tr> wrote:

> We started using the new Palo Alto plugin with excitement. It
> successfully retrieves the ARP table from the Palo Alto firewall as
> XML every 20 minutes.
>
> However, for some reason, while reading the ARP table from Palo Alto,
> the records are constantly expiring and being added again. This does
> not occur for the ARP records received via SNMP. Has anyone observed
> this situation?

I have not, but I don't have access to a Palo Alto firewall myself.

However, I suspect there may be some unintended entanglement with the
regular SNMMP ARP plugin that (by default config) runs immediately
before the Palo Alto ARP plugin.  It does mark records as missing if it
doesn't find them using SNMP.  The actual database updates do not happen
until the entire job (including the PaloAlto plugin) is finished, so the
Palo Alto plugin would have the opportunity to rectify any incorrect
markings.

Unfortunately, I don't think mr. Heimonen, who contributed the Palo Alto
plugin, is a member of this list, so I'm Cc:ing him.  This functionality
was provided courtesy of the University of Tromsø, who needed it, but I
don't know what their experience with this in production is thus far.


--
Sincerely,
Morten Brekkevold

Sikt – Norwegian Agency for Shared Services in Education and Research